Mar 2023 - Seed Phrases in Evernote Theft jbtravel84 - $300k (Global)

"This is my first post and my most sad one to date. There of my wallets got hacked totaling over 300k.

I'm a complete moron for storing passwords and seed phrases for these accounts in Evernote here.

Metamask - 0x023D8a816A8b6394f3144fD74aA3820689fEcaA0

Rocketpool Node - 0xa24757BC32579541F33B1bCD2E36355D39B1686a [withdrawl address was changed]

Deadalus - addr1q9h9ul8puyl3pa7yuwur72jj4rtk675zrqajgk5ppw209r567tjydwsrrnwhxlktacnusp0af8w6l645u0fyps6swg9skrqlgl

I'm a big fan of MOONs and had over 80k. I can see the hacker swapped all my Metamask assets into ETH where they are currently stored at this address - 0xe147a73e7d783166f791f10342a0122db80814c4

I'm absolutely devastated and not sure what to do.

Should I contact the FBI?

It appears the hacker could be from Germany based on the Evernote access logs. I could be wrong and both logins could be from a VPN. [UPDATE - These login attempts came from a TOR Exit Node as mentioned in the comments. The below, however, was the first attempt to connect to my Evernote. It was not a successful login.]

https://preview.redd.it/85vyv47upkoa1.png?width=998&format=png&auto=webp&s=f829d32552cb2c833180a5a0738770ff9b25185c

My biggest loss is the Rocketpool Node. I may have the first compromised node? He changed the withdrawl address to - 0x8294b95d303949699167f7579c9da49f6359d4ff. I can do nothing while he collects rewards. I believe I have some time here since nothing can be physcially withdrawn until the Shanghai Upgrade.

Lastly the Deadalus account had maybe 8k in ADA where it currently hits in the Hackers address here - addr1q8lee9tt64w6uwj9xwne2hnca8x8e2vg87prhl43uqdhdgk232uaxahskg735wxx28xwrhjj97fhphnyz3ppn3fjpygsywcdlv

Thanks again and I deserve all the shame headed my way!

UPDATE 1 - Thanks for the love and support. I biggest concern is the Rocketpool Node which has about 250k staked. I can't change the the withdrawl address but looking at other options since the hacker can't withdraw until Shanghai upgrade

UPDATE 2 - We've found a number of wallets the hacker has used to move funds around. All of these were created on or after March 15th.

0xe147a73e7d783166f791f10342a0122db80814c4
0x8294b95d303949699167f7579c9da49f6359d4ff
0x85690F09b37b5B5c27DA2f2996D0C19a83eb7164
0x63ffb856c7b0078e92385b88127d252122f70b63
0x08ae8dc7a2dfdc3e70841986b882778fe8f1b890
0x9E9f8a913D23fBd78b2b47b61af0DA35D1c7cd60
UPDATE 3 - Funds are withdrawn from rocketpool node. New wallets created to move:

0x6ce770476203fd13ce77e98299767ff51b2713cb
0xb58088bf3df7309ad22c62ba27310f7f28df0ff8
0xB129845c082b3BD6Ce163e8B0369aCc6E929B7bC [KuCoin Deposit Address]"

"I came across your 83580.59 Moons transaction on ccmoons website today and thought looks like some whales are moving their Moons around."

Further Analysis

Reddit user jbtravel84 stored all their seed phrases online on their Evernote account and posted in January 2023 to brag about being a moon whale. Their funds were safe for 2 months before they all got taken. They are working with different authorities to investigate what happened.

How Could This Have Been Prevented?

More Cryptocurrency Exchange Hacks/Scams/Frauds

General Bytes Bitcoin ATM Zero-Day Exploit > > < < Euler Finance Receives "Generous" Donations

Sources/Further Reading

t.me/QuadrigaInitiative

/r/QuadrigaInitiative

@QuadrigaInit

info@quadrigainitiative.com

Sign-Ups: 100%

Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected User. For questions or enquiries, email info@quadrigainitiative.com.

Quadriga Initiative